Back

CVE-2024-8660

Sept. 17, 2024, 7:15 p.m.

Received
CVE has been recently published to the CVE List and has been received by the NVD.

Products

Concrete CMS

  • 9.0.0
  • 9.0.1
  • 9.0.2
  • 9.0.3
  • 9.0.4
  • 9.0.5
  • 9.0.6
  • 9.0.7
  • 9.0.8
  • 9.0.9
  • 9.1.0
  • 9.1.1
  • 9.1.2
  • 9.1.3
  • 9.1.4
  • 9.2.0
  • 9.2.1
  • 9.2.2
  • 9.2.3
  • 9.3.0
  • 9.3.1
  • 9.3.2
  • 9.3.3

Source

ff5b8ace-8b95-4078-9743-eac1ca5451de

Tags

CWE-79
ff5b8ace-8b95-4078-9743-eac1ca5451de
2024-09-17
CVE-2024-8660

CVE-2024-8660 details

Published : Sept. 17, 2024, 7:15 p.m.
Last Modified : Sept. 17, 2024, 7:15 p.m.

Description

Concrete CMS versions 9.0.0 through 9.3.3 are affected by a stored XSS vulnerability in the "Top Navigator Bar" block. Since the "Top Navigator Bar" output was not sufficiently sanitized, a rogue administrator could add a malicious payload that could be executed when targeted users visited the home page.The Concrete CMS Security Team gave this vulnerability a CVSS v4 score of 4.6 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N . This does not affect versions below 9.0.0 since they do not have the Top Navigator Bar Block. Thanks, Chu Quoc Khanh for reporting.

CVSS Score

1 2 3 4 5 6 7 8 9 10

Weakness

Weakness Name Description
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References

URL Source
https://documentation.concretecms.org/9-x/developers/introduction/version-history/934-release-notes ff5b8ace-8b95-4078-9743-eac1ca5451de
https://github.com/concretecms/concretecms/pull/12128 ff5b8ace-8b95-4078-9743-eac1ca5451de
This website uses the NVD API, but is not approved or certified by it.